Malicious Hugging Face Repository Typosquats OpenAI to Deliver Rust-Based Infostealer
HiddenLayer discovered a malicious Hugging Face repository typosquatting OpenAI's Privacy Filter that drops a Rust-based infostealer, stealing browser passwords, session cookies, Discord tokens, and crypto wallets.
Security researchers have uncovered a sophisticated infostealer campaign hiding in plain sight on Hugging Face, the popular AI model repository. The malicious repository, named Open-OSS/privacy-filter, typosquatted OpenAI's legitimate Privacy Filter release and was artificially boosted to appear as one of the top-trending repositories on the platform.
AI security vendor HiddenLayer detailed the discovery in a blog post, noting that the repository had accumulated over 244,000 downloads and 667 likes in under 18 hours — figures that were almost certainly artificially inflated to make the repository appear legitimate. The malicious repo copied OpenAI's model card almost verbatim, adding to its deceptive appearance.
The attack chain unfolded over six stages. Users who landed on the repository were instructed to clone it and run start.bat on Windows or python loader.py on Linux/macOS. The Python script contained a base64-encoded string that ultimately dropped a Rust-based infostealer executable.
The infostealer employed multiple techniques to evade detection. It hides its use of Windows APIs to defeat static analysis, runs checks to detect debuggers and sandboxes, looks for signs it's running in a virtual machine (VirtualBox, VMware, QEMU, Xen), and attempts to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to evade behavioral detection.
The malware was designed to steal browser passwords and session cookies, Discord tokens, crypto wallets, Telegram sessions, and more. HiddenLayer urged any user who cloned the malicious repo and executed files from it to treat their system as fully compromised.
"Because the payload is a credential-harvesting infostealer, do not log into anything from the affected host before wiping it," the vendor explained. Users should rotate every credential stored in browsers, password managers, or credential stores on that machine, including saved passwords, session cookies, OAuth tokens, SSH keys, FTP credentials, and any cloud provider tokens.
This incident highlights the growing risks in the AI supply chain, as threat actors increasingly target platforms like Hugging Face to distribute malware. Infostealers continue to fuel a thriving cybercrime economy, with recent data from KELA revealing at least 347 million credentials were originally obtained by infostealers found on around 3.9 million infected machines.